Mandatory appointment of Data Protection Officer: the Working Party’s position pursuant to art. 29

By | Tuesday February 21st, 2017

On 13 December 2016 the European Data Protection Supervisor (Working Party – WP29) issued three documents containing information and recommendations on important novelties on Regulation (right to data portability, D.P.O., Leading Authority), in view of its application, effective from May 25, 2018.

With regard to the Data Protection Officer, the guidelines first highlight that the appointment of such a role, is the basis of a positive process of adaptation to the legislation, and how the same can simultaneously operate as intermediary with different stakeholders, including Supervisors. It is therefore clear that WP29 encourages the identification of a Data Protection Officer also by companies that would be exempted from this requirement, considering such appointment a good practice, even before focusing on cases in which the appointment of the D.P.O. is mandatory under the new regulations. Fostering the principle of accountability introduced by the Regulation, the WP29 recommends that a written documentation for grounds that led to the choice whether or not to appoint a DPO, to prove (due to a possible inspection) that the most important elements have been duly taken into account.

With reference to the first possibility, according to which the appointment of D.P.O. is mandatory (processing operations carried out by a ‘”Public Authority” or a “Public Entity” – art. 37 co. I l. a) of the Regulations), WP29 states that there is no obligation towards private companies providing public services, such as those working in the energy or transport sector. However, since in this case the parties concerned would face a condition similar to that of public authorities or public entities in processing data, the guidelines specify that the appointment of D.P.O. is definitely a good practice.

Besides the assumption indicated above, Article. 37 co. I. l. b) and c) of the Regulations requires to appoint a Data Protection Officer if the main activities of the Data Processor/Data Controller consist of processing that require recurrent and systematic monitoring of those concerned on a large scale, or which consist in large-scale treatment of particular categories of personal data or data relating to criminal convictions and offenses.

In providing the meaning of “core business” of Data Controller or Data Processor, the WP29 states that such activities include the processing of personal data as many times as the latter are an integral part of the activities carried out routinely by these entities. It follows, for example, that the provision of services typically offered by a hospital is closely connected with the processing of data on the health of patients.

With reference to the definition of “large-scale treatments“, the WP29 does not seem to take a specific position, failing to provide in this regard a quantitative definition. Basically it is set out to evaluate a range of elements, including the number of interested parties, the volume of data processed, the duration of the data processing, the geographical scope of the latter. In this regard, it provides a series of examples that should be included in this event, including the processing of personal data carried out by banks or insurance companies or the processing regarding travel data for persons using public transport network. Finally, the “recurrent and systematic monitoring” is defined as that form of monitoring performed periodically or continuously and includes, for example, the online profiling.

 

From the reading of this document it is clear that WP29 did not provide detailed indications regarding the burden imposed to the companies. It is, however, the first attempt to provide practical guidance with respect to the figure of the Data Protection Officer, of crucial for each organization.

The lack of detail in specifying the obligations contained in the Guidelines, forces the Data Holder/Data Processor to document in writing grounds that led to the adoption of a decision, or a specific compliance, in view of the general principle of accountability contained in the Regulations.

 

2 thoughts on “Mandatory appointment of Data Protection Officer: the Working Party’s position pursuant to art. 29

  1. paolo calvi

    Concordo soprattutto con la sottolineatura che il WP29 “ritenga la designazione di tale figura una buona prassi e incoraggi l’individuazione di un DPO anche da parte delle aziende che sarebbero esenti da tale adempimento”. E’ quello che, come consulente, mi sentirei di suggerire in generale ai clienti. Se sono piccoli, designeranno un DPO esterno e lo condivideranno con altri.

  2. silvia stefanelli

    ciao,
    secondo me il punto focale per le situazione border line sarà la motivazione che viene data rispetto alla decisione assunta

    mi spiego meglio (con esempi dal settore sanità di cui mi occupo).

    in ambito sanitario avremo le seguenti situazioni:
    1) soggetti direttamente obbligati dal GDPR ad avere il DPO (es ospedali in quanto ente pubblico)
    2) soggetti che pacificamente non devono avere il DPO (es medico singolo, in quanto escluso da un considerando ed altresì da parere del WP29)
    3) soggetti per i quasi non è chiaro se lo devono avere oppure no (es poliambulatorio che eroga prestazioni ad ampio numero di pazienti – oppure rete di laboratori di analisi a livello regionale o extraregionale)

    ovviamente per il caso 3) si pone il dubbio circa la nomina o meno
    in questo caso (secondo me)
    – se nomino il DPO non avrò problemi (visto il favor legislativo nei confronti di tale nomina)
    – se decido di non nominarlo dovrò SPIEGARE e MOTIVARE in base a quale ragionamento non ritengo di procedere alla nomina (cioè dovrò predisporre un razionale sulle motivazioni a sostegno della decisioni di non procedere -spiegando ad es. per quali motivi ritengo di non rientrare nella nozione di “trattamento su larga scala”)

    non solo poi tale motivazione deve essere espressa ed articolata, ma la stessa (e la sua robustezza) rileveranno anche nella misurazione della eventuale sanzione.
    la lettura combinata infatti del criteri dell’art. 83 sulle sanzione e l’applicabilità della legge 689/81 (disciplina sulle sanzioni amministrative) consente di ritenere che l’autorità Garante potrà aumentare o diminuire il quantum della sanzione in ragione della maggiore o minore colpevolezza (che emerge dalla prova del ragionamento che ha spinto il titolare a non nominare il DPO)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.